FORUM: Managing exposure to today's technology related risks
April 2013 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
FW moderates a discussion on technology related risks between Ronald I. Raether at Faruki Ireland & Cox P.L.L., Robert Bond at Speechly Bircham LLP, and Jim Charron at Zurich North America.
FW: To what extent have technology risks evolved in recent years? Are companies struggling to adapt to the pace of change and the variety of new threats?
Raether: We are seeing a recycling of threats that dominated the landscape 10 years ago. For example, we dealt with the same Oracle java vulnerabilities being discussed today in 1999 and 2000 with Netscape. Hackers use some of these earlier threat vectors, such as denial of service attacks, in new ways. Where denial of service had been the primary mode of attack, now it is often used to draw away limited security resources so that the attackers can exploit some other vulnerability. These risks in perimeter security, application development and social engineering still require attention. However, many companies are still not addressing such basic issues as considering privacy and security early in the development cycle, aka ‘privacy by design’. Likewise, companies are placing too much emphasis on dealing with threats to the perimeter and are not dedicating enough resources to detecting a breach and remediation. This deficiency becomes particularly important as the number of devices and the mobility of those devices increase. Companies – and the regulating authorities – need to be more effective with the limited resources currently available.
Bond: The growth of global technology solutions and devices coupled with the use of social media and the growing lack of discretion amongst users are all reasons why information security is a priority for businesses. According to the insurer AIG there are currently 9 billion connected devices worldwide predicted to rise to 24 billion by 2020. If Facebook was a country it would be the third largest in the world but up to 600,000 Facebook accounts are blocked every day after hacking attempts. More than 6.7 million distinct malware infected computers were detected in 2009 and finally up to 77 million customers were threatened by the well publicised Sony data breach a few years ago. Most organisations are struggling to keep the pace with the development of technology and the changing laws and regulations relating to security. For the past few years any focus on security has been more on physical and organisational issues and there has been a lack of attention to detail in relation to both internal and external threats that arise from the use of mobile devices, social media and cloud technology.
Charron: The challenge of keeping up with risks associated with technological change is not new. What is new is the convergence of so many disruptive technologies, including big data, the cloud, social media and mobile, each with their own risks factors, affecting companies across the globe. Historically technologies such as network computing, ecommerce and the internet have been layered in with companies deciding how much, and when they want to engage. Today the changes come from so many sources – employees using their own devices for work, customer expectations for mobility, social media, and the opportunities from big data and the cloud.
FW: In terms of cyber security, what trends are you seeing? Are there any particularly vulnerable, high-target sectors?
Bond: There is a heightened threat from nation state sponsored hacking as well as politically motivated hacking. Recently the Obama administration in the United States published proposals for new rules regarding cyber security, particularly for critical infrastructure companies, and the European Commission similarly published a proposed Directive on cyber security. According to the insurer AIG, global cyber security spending was expected to have reached $60bn in 2011 and is forecast to grow 10 percent every year during the next three to five years. Whilst there is currently a focus on critical infrastructure companies which are seen as posing most national concerns as to the damage arising from a cyber security incident, there is no doubt that all organisations are vulnerable to an increasing security risk. A report by Accenture in 2012 called ‘Data at the Tipping Point’ found that “there is a notable difference between organisations intentions regarding data privacy and how they actually protect it, creating an uneven trust landscape”. The same report also found that “compliance complacency is prevalent throughout the world” and “organisations that exhibit a culture of caring with respect to data privacy and protection are far less likely to experience security breaches”.
Charron: In the US we are seeing more regulatory action from breaches. It is interesting to note those companies with best of breed risk management policies have been successful in minimising monetary fines. The regulators are sending a message – they expect compliance with privacy laws including defined controls such as encryption for personally identifiable information. The breaches are widespread, in healthcare, financial and government we see the most press and regulatory action. Outside the US we see less regulatory response even though some countries have more strict regulations than the US. This could of course change as expectations of security increase.
Raether: We have worked for years with companies in highly regulated sectors which are often the focus of attacks. These companies have employed privacy by design and also recognised that security does not stop at protecting and monitoring the perimeter. The knowledge and experience of these companies are beginning to be recognised by other industries. Being more proactive raises another current trend – hack back or active defence. Such responses range from the extreme measure of using a denial of service attack against the originating servers to less intrusive measures such as trace backs and honeypots. The legal permissibility of such actions is uncertain; however, we are working on policies to navigate these issues. Unfortunately, the sectors most likely to be attacked – healthcare and mobile applications, especially mobile payments – are not always employing these measures. The reasons remain the same: ignorance or applying limited resources to developing user functionality over baking in security as evidenced by the recent FTC settlement with a mobile application developer Path. However, the consequences also are the same as often others, such as class counsel, may benefit from your ideas and hard work.
FW: What steps can companies take to mitigate potential security breaches? Are there established methods of identifying and prioritising technology risks?
Charron: For security breaches, start with the data. Categorise it so you know what you have. Does any of it fall under the protection of authorities? For example, trade secrets and personally identifiable information should be treated different from less sensitive data. How you protect it will follow, whether on your own network or sourced to others. In terms of technology risks as a whole, security breaches deserve priority treatment but consider other risks that could result in reputational damage such as supply chain and intellectual property. How could network failure – yours or a third-party’s – affect your ability to operate? Are your employees using software and mobile devices not authorised by your company?
Raether: Companies need to consider security and privacy early in the development process rather than bolting security on after the product is released. Companies fail to do so because of limited security resources or limited resources generally. Likewise, many companies do not allocate their resources properly, placing too much emphasis on perimeter security and not enough on detection and rapid remedial response. There are a number of standards and methods for developing a sound security regime. For example, Microsft’s SDL, Cigital’s touchpoints, and OWASP CLASP/SAMM provide general standards for software development. Other common standards (for example, FISMA) place too much emphasis on written policies and procedures, generating volumes of paper that often collects dust. Perimeter tests and black box tests also are common. The problem is that none of these solutions go far enough to improve security and instead draw resources away from more effective measures, such as developing intrusion detection models and hiring more personnel to be involved in detection and critically personnel trained and positioned to rapidly response once there has been a breach.
Bond: Organisations should have in place a practice around information security that assesses the organisation’s procedures in order to identify weak points in existing security measures such as the use of portable storage devices or access to public networks. Companies should monitor staff awareness of security issues and look to fill any gaps through training or tailored advice. Businesses should consider whether or not they need to establish a group of technical and non-technical staff to discuss ‘what if’ scenarios as this would highlight risks and weaknesses as well as giving staff a different level of opportunity to suggest solutions. If a business already has a continuity plan for dealing with serious business continuity incidents they should also consider implementing a similar plan for data security.
FW: What insurance solutions are available on the market to help manage security breaches?
Raether: The cyber insurance market is relatively new and as a result coverage varies among the offerings. Generally, coverage addresses two areas: first party coverage (direct expenses), and third-party coverage (payments to cover costs of customers, consumers and others). Companies should look at the first-party coverage to determine whether it includes notification expenses to alert stakeholders of a breach and provide them, when necessary, with credit monitoring services. Other first-party expenses might include repairing reputation harmed by a breach, including public relations costs; restoring systems and data; repaying funds stolen through fraud or extortion; and covering revenue losses associated with computer system disruptions. Third-party coverage might include court-imposed damages, regulatory penalties and defence costs associated with lawsuits alleging the disclosure of customers’ personally identifiable information or harm to business partners’ systems. In sum, the details are important, so make sure whoever provides advice in the space is knowledgeable. Switching to a related issue, do you require outsource vendors to have insurance covering such loses? This should be a requirement in your agreement. The vendor agreement should also require that your company be a named insured and proof of insurance, such as a copy of the declarations page, be provided.
Charron: There is a robust market for security breach insurance. Most policies start with a privacy or E&O liability insuring agreement and offer breach mitigation costs, which reimburse for notification, credit monitoring and crisis management expenses. Many also offer media, cyber extortion, consumer redress, regulatory proceedings and other first party cyber coverage such as electronic vandalism. It is also important to the cost of business interruption, both to profit and reputation, and to calculate the extra expenses of recovery. These disruption and recovery costs are often the most significant impact from a breach or outage, whether at your own location or at a third party provider. In fact, respondents from across 68 countries to our annual survey with the Business Continuity Institute revealed that the leading cause of supply chain disruption is unplanned IT or telecom outage, with 52 percent of organisations surveyed experiencing some or high impact disruption as a result. There is an ‘all risk’ insurance policy available that could cover both the cost of supply disruption and the extra recovery expense from hacking and related issues at a third party supplier. Every policy is bespoke and tailored to fit specific needs, and could also cover a broad range of other supplier disruption causes such as labour unavailability, natural catastrophe, transportation issues and other interruptions. There is also significant value in doing proactive analysis around the potential costs of disruptions. Companies can have a gap analysis done on their own or their suppliers’ business continuity plans, to ensure it will respond appropriately to a breach. It is also wise to undergo a thorough supply chain risk assessment to better understand their exposure to potential interruptions from IT outages or other disruption causes. Firms can also access tools such as business interruption or contingent interruption modelling software that will map out their value flows from vendor to client, so there can be scenario and stress testing done on recovery plans.
Bond: There are an increasing number of insurance policies that cover information security incidents or cyber risk and insurers continue to develop unique policies and coverage. Cyber risk policies require the insured business to have implemented comprehensive policies and procedures and particularly have in place a cyber breach response plan.
FW: In what ways are data security laws changing? Is it becoming more difficult for companies to keep up to date and maintain legal and regulatory compliance?
Bond: There are many US state laws which address data breaches and the requirement to notify data subjects but in addition in the US there are myriad laws which specifically relate to information security around health insurance banking, medical devices and children. There is an increasing body of case law in the US on data security breaches. Canada has its own legislation around information security and in the European Union there is of course the data protection Directive and the E-privacy Directive, both of which address information security. The EU is currently considering a new data protection regulation which will have an increased focus on information security and data breaches and there are laws cropping up all over the world around the protection of personal data and the management of information security. In addition to general information security issues there is particular focus in 2013 on cyber warfare and cyber espionage. Recently President Obama specifically focused on the threat from China and referenced a number of countries which are known to support nation state sponsored hacking, albeit that the US itself is believed to have carried out cyber warfare on Iran using the Stuxnet virus in order to try to derail the Iranian nuclear program. Add to this the increased risk of cyber espionage on businesses that lack appropriate security, and new legislation being proposed in the US and Europe on enhanced security for critical infrastructure companies, then it is inevitable that businesses will face challenges in keeping up to speed with the law as well as technical developments.
Charron: In the US we are seeing authorities ratcheting up the pressure on firms that have not implemented required privacy controls. There is a heavier hand for noncompliance, and less tolerance once a breach occurs. We are seeing this at both the state and federal level. The challenge for many companies is more the cost, and trade-off of new controls such as encryption, than it is from understanding the requirements. Still, some companies seem to operate as if they think they are immune and that they won’t be breached – but as we’ve seen, no matter who you are or what you build, you will be hacked.
FW: To what extent do social media issues impact upon compliance with cyber security and data privacy law? What factors should organisations consider in this regard?
Charron: Organisations should have a social media aspect to their risk management program. Getting this right is challenging as this space is so dynamic and its use so prevalent. Consider embracing social technology, leading employees in a positive direction so they are empowered to express themselves while still not doing so in a way that exposes your company to disparagement or other litigation.
Raether: The place to start is having the proper policies. The list can be long depending on the complexity of a company’s systems. Whether in a single document or as separate policies, systems users should be instructed on: recruiting and hiring; acceptable use; social media; remote access; termination; physical security; incident response; and others. These policies will need to be tailored to the culture of the company. A policy written in legalese is often not the best policy. We need employees to understand the instructions and guidance not only for later enforcement if violated, but more importantly so that they can comply with them. The clarity of the policies and related procedures is essential to day to day compliance. Sufficient training is important and a key factor of a sound compliance program. All employees should be instructed on what is permitted and prohibited. Best practices (and warnings as to current threats) should be communicated regularly. A virtual resource room should be established to address frequently asked questions and reaffirm updates on current trends and threats. Employees should be reminded that they are ultimately responsible and will be held accountable for any violations. As a result, both the training and the policy should be clear and in the tone and text easily understood by employees.
Bond: More than 50 percent of the world’s population is aged under 30 and it is the younger age group that are massive users of social media and online gaming, thus heightening the risk of a cyber incident. The threat from social media amongst other things is that the use of portable devices blurs the distinction between work being brought into home life and home life being brought into the work place. Without training and education, users will be one of the biggest contributors to a breach as they often fail to understand both the technology and the issues of confidentiality and discretion. Businesses need to control the use of personal devices in the workplace and implement technical and organisational procedures to keep information secure.
FW: What particular risks are associated with outsourcing and interactions with third party business partners? In your opinion do organisations pay enough attention to these risks? What steps can they take to mitigate such exposures?
Raether: I do not think that companies are giving this area enough attention, often focusing more on the terms of the agreement than actual performance. Security becomes more complicated any time you add more parties and transfer points. For healthcare in the US, these issues take on greater importance following the recent final rules on HIPAA. There are more opportunities for things to break. Logistics, accountability and compliance increase in complexity exponentially when you add another company. Initially, the laws and regulations at issue might change. A practice permitted for an internal transfer might be prohibited only because it has been outsourced. Outsourcing agreements are still important and need to address ownership of the data and responsibilities for data security, limitations on data usage, and roles in the event of an incident. Two key provisions often overlooked are: the requirement of proof of insurance; and the inclusion of security metrics in service level agreements. One of the more interesting current issues is outsourcing software development or firmware production and the risk of the third-party embedding malware in the code or device. The threat of nation-sponsored attacks – or corporate espionage – may impede cross-border transfers, and outweigh short term cost savings, as much as the law. Likewise, cloud computing has dramatically changed the dynamics of data security. It may be possible for companies to merge their resources to provide better security for a shared application or network architecture, although the user access settings and database architectural issues become more critical. President Obama’s recent executive order on data sharing might be more effective in the cloud model as companies may be less concerned about competitive disadvantages or loss of control. Although, again, keeping the data of multiple companies at a single point increases vulnerability as a cloud service may be a more attractive target for hackers.
Bond: There has always been a risk where businesses outsource processing of information, particularly personal data. The risk is greater now with the increasing use of cloud computing and the virtualisation of software. The risks arise for a number of reasons. Firstly, businesses that process personal data remain liable for loss of the personal data where it is processed by a third party and where those same businesses do not often address the risk. There is an increased demand by regulators for businesses to carry out what are called privacy impact assessments (PIAs) when using a third party in order to establish how information is going to be kept secure and the rights of individuals are going to be adduced. In the past, where third parties were used, the relationship was between the ‘controller’ and the ‘processor’. This was a direct relationship. With the use of cloud or virtualisation of software solutions, the controller does not always know where the data resides.
Charron: One area organisations may want to pay more attention to is the potential interruption of business resulting from contracting with the public cloud. Much emphasis has been put on the digital risk of the cloud but to date what we have seen has been downtime from storms, lightning and other physical events. Identifying the locations where your cloud service provider stores your data and back-ups and evaluating the natural catastrophe exposure of these geographies is critical considering the volatile climate we may experience.
FW: What trends and developments do you expect to see in the fields of cyber security and data privacy over the next 12 months?
Bond: We carried out a data privacy survey at the beginning of 2013 in which we asked multinational businesses what their key concerns were in the field of data privacy and assessed ourselves what the hot topics would be for the next 12 months. Unsurprisingly the greatest concerns of businesses in ascending order were: cyber crime; consumer rights; cloud computing; jurisdictional issues; the EU draft Data Protection Regulation; cookie compliance; and, top of the list, global data transfers. Other issues of concern included: managing subject access requests; social media in the workplace; and doing your own device and data security issues. Interestingly, topics that were not particularly mentioned as concerns were: privacy by design; screening and monitoring of employees; data leakage; data management; and engaging the board. Whilst it is not surprising that issues such as data transfers, cookies law and the EU Regulation were high on the list, we do expect that before too long key issues will include: data security; data breaches; data management; and managing consumer concerns.
Raether: We will continue to see the same sources of risk as in the past and some new ones. Unfortunately, many companies still have not embraced privacy by design – that is, baking security and privacy into product development and organisational practices. Likewise, employees will continue to be the weakest link in most security programs. Having good written policies and procedures is not enough. Education, awareness, and audit compliance are essential but often ignored components of good security practices. This risk will be heightened by the introduction of employee-owned devices. Many companies have been allowing this practice without modifying their policies and procedures – a big mistake. One particularly disturbing trend involves threats originating from state sponsored attacks, attacks from competitors, and hacktivist groups. Many security programs look to defend against the criminal who is looking for financial gain. These groups present a new threat profile that most companies are not yet addressing. For example, what process is in place to make sure that the overseas vendor is not inserting malware into the code they are writing or the firmware they are manufacturing? Finally, companies need to better allocate their data security resource to address not only perimeter security, but also invest in detection and the technical aspects of breach response.
Charron: On the insurance side I would expect more companies to purchase coverage. Underwriters will require prudent controls adding motivation for companies to embrace an enterprise security policy. On the organisation side I expect us to find the CIO’s more engaged in risk management and the insurance buying decision. Who better to sit at the table to help a company size up the tech risk than the leader of IT? Finally, as far as the frequency and severity of breaches is concerned, there is no reason to think they will not increase. That’s as far as I’m willing to go – this space moves too quickly to predict.
Ronald I. Raether's broad experience with technology-related issues brings a unique and important perspective to successfully resolving disputes and developing creative compliance programs that blend well with existing business practices. These technology-related matters have spanned a broad array of substantive legal areas, including patent, antitrust, licensing and contracts, employment, trademark, domain name disputes, and federal and state privacy statutes.
Robert Bond has over 32 years’ experience in advising national and international clients on all of their commercial IP, technology and data protection requirements. He specialises in data, technology and information law and has market-leading expertise in a number of specialist sectors including computer games and digital media where he is an acknowledged industry expert. Mr Bond’s clients cover a wide spectrum, from growing businesses to major US-based multinationals.
Jim Charron is an expert and industry leader in insurance coverage for technology companies. His responsibilities include product development, project execution, distribution and portfolio management. Mr Charron’s specialties include information technology and clean technology.
© Financier Worldwide
Ronald I. Raether
Faruki Ireland& Cox P.L.L.
Speechly Bircham LLP
Zurich North America